Security lapses at Apple and Amazon lead to an epic hack. This could be you. [Updated]

There’s only so much you can do to protect yourself online. You can practice safe computing, not clicking on bogus links in emails or social media; by using strong passwords; by not giving out personal information to strangers.

You can do all these things and still be a digital victim if the processes and practices of the companies with which you do business are lacking.

And judging from the terrifying tale of Mat Honan, the security practices of two of the biggest need a lot of work.

If you use online services, you should read it carefully – particularly if you’re an Apple or Amazon.com customer. It’s long, but well worth your time.

Honan’s first paragraph lays out a summary of what happened:

In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.

Step by step, here’s what happened to him:

• The hackers began by going to his personal website, which was linked from his Twitter account. Honan’s Gmail address was there, and they used to Google’s automated password-recovery setup to get a glimpse at his guessable alternative email address, which happened to be an Apple .me account.

• Next he looked up the information on Honan’s web domain, which yielded his billing address.

• The hacker then called Amazon and said he wanted to add a credit card number to Honan’s account, pretending to be him. Amazon only requires the account holder’s name, billing address and an email address associated with an account to make this change. And you can generate fake credit card numbers with online tools, which the hackers did. The hackers were then able to call back and add a new email address, because they could accurately give out associated credit card information. Once the new email was in place, they requested a password reset, which gave them access to Honan’s account details – including the last four digits of Honan’s credit card.

• Next they called Apple tech support, where you can bypass security questions to access an account by giving out a customer billing address and the last four digits of an associated credit card. They now had control of Honan’s iCloud account, to which his iPhone, iPad and MacBook Pro were linked.

• The hackers used Find My iPhone and Find My Mac to wipe his devices.

• Once the hackers had control of Honan’s iCloud account, they also controlled his .me email address – which was the backup to Gmail. They were then able to enter his Gmail account and send a password reset request to Twitter, which then gave them access to his @mat Twitter feed.

• Oh, and because Honan’s Twitter feed was still linked to Gizmodo’s main Twitter account – even though he’s no longer employed there – they were able to hijack @Gizmodo, too.

In this nasty timeline, you can see how quickly the hack proceeded:

At 4:33 p.m., according to Apple’s tech support records, someone called AppleCare claiming to be me. Apple says the caller reported that he couldn’t get into his .Me e-mail — which, of course was my .Me e-mail.

In response, Apple issued a temporary password. It did this despite the caller’s inability to answer security questions I had set up. And it did this after the hacker supplied only two pieces of information that anyone with an internet connection and a phone can discover.

At 4:50 p.m., a password reset confirmation arrived in my inbox. I don’t really use my .Me e-mail, and rarely check it. But even if I did, I might not have noticed the message because the hackers immediately sent it to the trash. They then were able to follow the link in that e-mail to permanently reset my AppleID password.

At 5:02 p.m., they reset my Twitter password. At 5:00 they used iCloud’s “Find My” tool to remotely wipe my iPhone. At 5:01 they remotely wiped my iPad. At 5:05 they remotely wiped my MacBook. Around this same time, they deleted my Google account. At 5:10, I placed the call to AppleCare. At 5:12 the attackers posted a message to my account on Twitter taking credit for the hack.

By wiping my MacBook and deleting my Google account, they now not only had the ability to control my account, but were able to prevent me from regaining access. And crazily, in ways that I don’t and never will understand, those deletions were just collateral damage. My MacBook data — including those irreplaceable pictures of my family, of my child’s first year and relatives who have now passed from this life — weren’t the target. Nor were the eight years of messages in my Gmail account. The target was always Twitter. My MacBook data was torched simply to prevent me from getting back in.

Clearly, weak processes at Amazon and Apple enabled this disaster, but Honan also lays part of the blame on himself:

In many ways, this was all my fault. My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc. Lulz.

Honan’s been in touch with Apple and Amazon and hopefully this episode will cause both companies to tighten their procedures. He’s also been in touch with one of the hackers, who provided him with the details about how it was done.

Again, read the whole thing. It may cause you to make some changes in the way your own digital life is constructed.

Update: Amazon.com reportedly has made changes to the customer service policies that helped enable the hack of Mat Honan.

On Tuesday, Amazon handed down to its customer service department a policy change that no longer allows people to call in and change account settings, such as credit cards or email addresses associated with its user accounts.

Amazon officials weren’t available for comment on the security changes, but during phone calls to Amazon customer service on Tuesday, representatives told us that the changes were sent out this morning and put in place for “your security.”

Apple had said it is reviewing its policies, but so far has not announced any changes.

An Apple worker with knowledge of the situation, speaking on condition of anonymity, told Wired that the over-the-phone password freeze would last at least 24 hours. The employee speculated that the freeze was put in place to give Apple more time to determine what security policies needed to be changed, if any.

[deletia]

Our Apple source’s information was corroborated by an Apple customer service representative, who told us Apple was halting all AppleID password resets by phone. The AppleCare representative shared that detail while Wired was attempting to replicate Honan’s hackers’ exploitation of Apple’s system for the second day. The attempt failed, and the representative said that the company was going through system-wide “maintenance updates” that prevented anyone from resetting any passwords over the phone. The rep said we should try calling back after about 24 hours, and directed us to iforgot.apple.com to change AppleID passwords ourselves on the web instead.